When I was
at University, I learnt to develop with Pascal, C/C++ and Assembly
languages, although I learnt a little bit about PHP, HTML, JavaScript
and Java as well. I developed applications without thinking about
publishing to Internet, just basic web pages, but, today, web
applications are behind an API or RESTful web service to be consumed
by Single Page Applications (SPAs) and mobile applications. In
addition, microservices written in node.js and Spring
Boot are replacing traditional monolithic applications which have
security challenges like establishing trust between microservices,
containers, secret management, etc. On the other hand, modern web
frameworks have been released such as Bootstrap, Electron,
Angular and React which run functionalities on the
client-side while traditional frameworks run functionalities on the
server-side.

The difference between the monolithic and microservices architecture

Many
changes have had over the last years and, therefore, OWASP Top 10 has
been updated. For instance, we have a new category called A4 –
XML External Entities (XXE) because new issues have been identify
in older or poorly configured XML processors when they evaluate
external entity references within XML documents.

A4 – XML External Entities (XXE)

Insecure
Direct Object References and Missing Function Level Access Control
have been merged into A5 – Broken Access Control where
restrictions on what authenticated users are allowed to do are often
not properly enforced.

A5 – Broken Access Control

A8 –
Insecure Deserialization is another new category into OWASP Top
10, which, initially, is difficult to exploit. However, a successful
exploitation could lead to remote code execution and it can also be
used for replay attacks, injection attacks, and privilege escalation
attacks.

A8 – Insecure Deserialization

Last
change to the OWASP Top 10 has been to add the category A10 –
Insufficient Logging and Monitoring because many organizations
don’t have security tools and processes to detect malicious
activities and data breaches and, as a result, they become aware of a
security breach by external parties with more than an average of 200
days of delay.

A10 – Insufficient Logging and Monitoring

This has
been an overview of changes in OWASP Top 10 – 2017 where there is
also to highlight other security risks like Injection or Cross-Site
Scripting (XSS) which keep the importance into the OWASP Top 10.